From patchwork Wed Mar 3 10:41:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Bin Meng X-Patchwork-Id: 1446558 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=nQlIdfbG; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Dr9bk4lpzz9sCD for ; Wed, 3 Mar 2021 21:44:18 +1100 (AEDT) Received: from localhost ([::1]:52302 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lHOzI-0008Eu-Lx for incoming@patchwork.ozlabs.org; Wed, 03 Mar 2021 05:44:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:41380) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lHOx0-00061Q-I0; Wed, 03 Mar 2021 05:41:54 -0500 Received: from mail-ed1-x52e.google.com ([2a00:1450:4864:20::52e]:42875) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lHOww-00017o-5w; Wed, 03 Mar 2021 05:41:54 -0500 Received: by mail-ed1-x52e.google.com with SMTP id v13so12814758edw.9; Wed, 03 Mar 2021 02:41:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Y/nyi8An80ek+P1n9KALG11eHTIo9X/dg63n9CXHSx4=; b=nQlIdfbGlCdvg2KJiJihql/BVfKZXieDm5mJxBvZu/4T3KR0BekNhrmyYI4s1+URtu 2LwKPRYR6ElVo5LvYBAHm0Key6LUtpG+YD9nRfqG2dkZVEfFYUHkxLNTYbhjcU69TmDV S6mK1Z8pl0IQsng7yxH/3YjErs+Y8fDe50mmTgvvViWNYCehoa5hKYJ/tz66ylqytIuO fNs0fM5KslcXB5U7Jfe7tX11qVjqh594kEDhY+U7OYdPzjxqKX//ZXRxUT7fdoNUlmLj uG6K9kcjyPE1Q00RW6DlZ7bEAWuCOo/ntBMT5hZLToiZk7yJLvP/3WkPhPxd7gVFKNty CuRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Y/nyi8An80ek+P1n9KALG11eHTIo9X/dg63n9CXHSx4=; b=hsK8YyMS9Bh1K4pqA5rjBzc1q1bYRg4rLD2gJYmwTazpFW1+GF8Fqdv7iP8J3awQcT 21f9i9jLST+8YVdNHjIxxBSSh4ykJvmCh4jzeViRsfjPFvDbHRaljw7C7z17sYs3pm1M qr8UXXG6isZlL37rGQn246bED7hLAQbDaRMYy928pHMyADSb+PNvOVKaO+5Bl3d6qEIh M6bD8oAsNhlrHX7PYc3KtVG1HZIwC8idDZf2rR6nDIzXBXcM9fTBqYGYirQioU4r+Wu3 XcYqsdv7oSskkMDPdeZFRoph50H/k6q2w4ZzIFRAAm+85mADNlQG8rkAt6vF2nmCnZzI VMzg== X-Gm-Message-State: AOAM533AeFnctfZQCcGVwYjlvhSVjxO0sRPi+r8DUwZFA/Aps0EvTAon 43A76XF5wIdWM812MnVVbFo= X-Google-Smtp-Source: ABdhPJzPYjSxWEyuYJ7HlN8+hP6cpX6IM+az5MFPVKEPaihcQVXF5Aw0jTXKTJHdWTvxHfK+x9o0Qw== X-Received: by 2002:aa7:c1d5:: with SMTP id d21mr11013881edp.167.1614768108126; Wed, 03 Mar 2021 02:41:48 -0800 (PST) Received: from pek-vx-bsp2.wrs.com (ec2-44-242-66-180.us-west-2.compute.amazonaws.com. [44.242.66.180]) by smtp.gmail.com with ESMTPSA id jx22sm19029811ejc.105.2021.03.03.02.41.41 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Mar 2021 02:41:47 -0800 (PST) From: Bin Meng To: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [PATCH v3 1/5] hw/sd: sdhci: Don't transfer any data when command time out Date: Wed, 3 Mar 2021 18:41:24 +0800 Message-Id: <1614768088-20534-2-git-send-email-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1614768088-20534-1-git-send-email-bmeng.cn@gmail.com> References: <1614768088-20534-1-git-send-email-bmeng.cn@gmail.com> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::52e; envelope-from=bmeng.cn@gmail.com; helo=mail-ed1-x52e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bin Meng , qemu-devel@nongnu.org, qemu-block@nongnu.org, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" At the end of sdhci_send_command(), it starts a data transfer if the command register indicates data is associated. But the data transfer should only be initiated when the command execution has succeeded. With this fix, the following reproducer: outl 0xcf8 0x80001810 outl 0xcfc 0xe1068000 outl 0xcf8 0x80001804 outw 0xcfc 0x7 write 0xe106802c 0x1 0x0f write 0xe1068004 0xc 0x2801d10101fffffbff28a384 write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576 write 0xe1068003 0x1 0xfe cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -M pc-q35-5.0 \ -device sdhci-pci,sd-spec-version=3 \ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ -device sd-card,drive=mydrive \ -monitor none -serial none -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-University Bochum) Reported-by: Muhammad Ramdhan Reported-by: Sergej Schumilo (Ruhr-University Bochum) Reported-by: Simon Wrner (Ruhr-University Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 Signed-off-by: Bin Meng Acked-by: Alistair Francis Tested-by: Alexander Bulekov Tested-by: Philippe Mathieu-Daudé Signed-off-by: Bin Meng --- (no changes since v1) hw/sd/sdhci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 9acf446..f72d76c 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s) SDRequest request; uint8_t response[16]; int rlen; + bool timeout = false; s->errintsts = 0; s->acmd12errsts = 0; @@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s) trace_sdhci_response16(s->rspreg[3], s->rspreg[2], s->rspreg[1], s->rspreg[0]); } else { + timeout = true; trace_sdhci_error("timeout waiting for command response"); if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) { s->errintsts |= SDHC_EIS_CMDTIMEOUT; @@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s) sdhci_update_irq(s); - if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { + if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { s->data_count = 0; sdhci_data_transfer(s); } From patchwork Wed Mar 3 10:41:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bin Meng X-Patchwork-Id: 1446560 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=SKBW+WHp; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Dr9gK5b5mz9sCD for ; Wed, 3 Mar 2021 21:47:25 +1100 (AEDT) Received: from localhost ([::1]:57090 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lHP2G-0001vM-2H for incoming@patchwork.ozlabs.org; Wed, 03 Mar 2021 05:47:23 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:41422) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lHOx6-00064d-5K; Wed, 03 Mar 2021 05:42:00 -0500 Received: from mail-ej1-x62b.google.com ([2a00:1450:4864:20::62b]:42177) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lHOx2-0001B9-Qf; Wed, 03 Mar 2021 05:41:59 -0500 Received: by mail-ej1-x62b.google.com with SMTP id c10so14720159ejx.9; Wed, 03 Mar 2021 02:41:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=dU67z5mmiD/4zu7Zyv2gAWcs8YiHNtEyoZ8NTNJ6tkQ=; b=SKBW+WHp7Knhb+VTsSr3DGRL9S2MWg0qNqE1+UyPv79+afBYNd3bSY6Qz+Cr0O3SKR uLV8r/9jNcBVDOEPtSc2lNlthr6sjiNCoQz6qRUwW+ZrrWgM26AX1KGXw36C40jVqWiB 1WE0JXcvfzuV0KD8phbZ3JrHP46CxcU7sJyQP0jVEewb57a3DUyDWS3TQmUvH1Ty37AP fkDDV1B7IzYhNmfGS5jZ4zqZ8ap8h2C1rHSVEtTx1+N1vHFq+AWdswY+YGZRHdW1fMU8 8GiDkXd+A7+hdMBUw09mvvbJMY6WqxdmtT0KpaPY3NeCeCwz5e4IJXbrOjvuOud/W/q8 0AAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=dU67z5mmiD/4zu7Zyv2gAWcs8YiHNtEyoZ8NTNJ6tkQ=; b=AynnBGkWlAuMcYNFxhAjD6k/VZtEGMptwJp+DFtklsE9uGARcS9031OT0Rc31lPpGP OYxakbMdfUwqMhS2fEUT0QdU0jHzgtEzUkGJZqoq8ZsB041T3ulT5lDoTmAOPPMDTKoV jhSop1IS8hwSjrLQHMi/mN4p275uXlH5LxmHhibFWuvVTABl5MORItfSlHu6z96Y5PVZ ZK+umPPglzfZvznMW6PB6gxq0nNdBAlXBKDezOdRItALPD11pfpGXcqgas7ZBy8mZq2j PBpsvUQvO4Za9524SJnk7V7i15v6LO5xZMY7kNaeiaRSpFv+qCmROiJ2kosBvT9aZHuW km2A== X-Gm-Message-State: AOAM531Z7n6XAeJNNMVF9GZtyatLtWKNH5JZ0dLsG9QsBlsDN09IA0ba /2VW6g8XLUJnusZXlIYelEI= X-Google-Smtp-Source: ABdhPJwVKobKI4Usd3MjNq+iDo5g1tz4AuCzGv0Jt3Kg7+xOQT5xXc7fLBwlVHep9DQam0Sq6AvDYg== X-Received: by 2002:a17:906:1907:: with SMTP id a7mr25263190eje.142.1614768114300; Wed, 03 Mar 2021 02:41:54 -0800 (PST) Received: from pek-vx-bsp2.wrs.com (ec2-44-242-66-180.us-west-2.compute.amazonaws.com. [44.242.66.180]) by smtp.gmail.com with ESMTPSA id jx22sm19029811ejc.105.2021.03.03.02.41.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Mar 2021 02:41:53 -0800 (PST) From: Bin Meng To: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [PATCH v3 2/5] hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress Date: Wed, 3 Mar 2021 18:41:25 +0800 Message-Id: <1614768088-20534-3-git-send-email-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1614768088-20534-1-git-send-email-bmeng.cn@gmail.com> References: <1614768088-20534-1-git-send-email-bmeng.cn@gmail.com> Received-SPF: pass client-ip=2a00:1450:4864:20::62b; envelope-from=bmeng.cn@gmail.com; helo=mail-ej1-x62b.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bin Meng , qemu-devel@nongnu.org, qemu-block@nongnu.org, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" Per "SD Host Controller Standard Specification Version 7.00" chapter 2.2.1 SDMA System Address Register: This register can be accessed only if no transaction is executing (i.e., after a transaction has stopped). With this fix, the following reproducer: outl 0xcf8 0x80001010 outl 0xcfc 0xfbefff00 outl 0xcf8 0x80001001 outl 0xcfc 0x06000000 write 0xfbefff2c 0x1 0x05 write 0xfbefff0f 0x1 0x37 write 0xfbefff0a 0x1 0x01 write 0xfbefff0f 0x1 0x29 write 0xfbefff0f 0x1 0x02 write 0xfbefff0f 0x1 0x03 write 0xfbefff04 0x1 0x01 write 0xfbefff05 0x1 0x01 write 0xfbefff07 0x1 0x02 write 0xfbefff0c 0x1 0x33 write 0xfbefff0e 0x1 0x20 write 0xfbefff0f 0x1 0x00 write 0xfbefff2a 0x1 0x01 write 0xfbefff0c 0x1 0x00 write 0xfbefff03 0x1 0x00 write 0xfbefff05 0x1 0x00 write 0xfbefff2a 0x1 0x02 write 0xfbefff0c 0x1 0x32 write 0xfbefff01 0x1 0x01 write 0xfbefff02 0x1 0x01 write 0xfbefff03 0x1 0x01 cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ -nodefaults -device sdhci-pci,sd-spec-version=3 \ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ -device sd-card,drive=mydrive -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-University Bochum) Reported-by: Muhammad Ramdhan Reported-by: Sergej Schumilo (Ruhr-University Bochum) Reported-by: Simon Wrner (Ruhr-University Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 Signed-off-by: Bin Meng Tested-by: Alexander Bulekov Signed-off-by: Bin Meng --- Changes in v3: - Embed the reproducer in the commit message hw/sd/sdhci.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index f72d76c..3feb6c3 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1121,15 +1121,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) switch (offset & ~0x3) { case SDHC_SYSAD: - s->sdmasysad = (s->sdmasysad & mask) | value; - MASKED_WRITE(s->sdmasysad, mask, value); - /* Writing to last byte of sdmasysad might trigger transfer */ - if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt && - s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { - if (s->trnmod & SDHC_TRNS_MULTI) { - sdhci_sdma_transfer_multi_blocks(s); - } else { - sdhci_sdma_transfer_single_block(s); + if (!TRANSFERRING_DATA(s->prnsts)) { + s->sdmasysad = (s->sdmasysad & mask) | value; + MASKED_WRITE(s->sdmasysad, mask, value); + /* Writing to last byte of sdmasysad might trigger transfer */ + if (!(mask & 0xFF000000) && s->blkcnt && s->blksize && + SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { + if (s->trnmod & SDHC_TRNS_MULTI) { + sdhci_sdma_transfer_multi_blocks(s); + } else { + sdhci_sdma_transfer_single_block(s); + } } } break; From patchwork Wed Mar 3 10:41:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Bin Meng X-Patchwork-Id: 1446561 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=K0smjPsW; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Dr9jl65Klz9sCD for ; Wed, 3 Mar 2021 21:49:31 +1100 (AEDT) Received: from localhost ([::1]:33608 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lHP4L-000444-Iu for incoming@patchwork.ozlabs.org; Wed, 03 Mar 2021 05:49:29 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:41472) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lHOxC-00069S-O5; Wed, 03 Mar 2021 05:42:06 -0500 Received: from mail-ej1-x634.google.com ([2a00:1450:4864:20::634]:37437) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lHOx9-0001Cz-RK; Wed, 03 Mar 2021 05:42:06 -0500 Received: by mail-ej1-x634.google.com with SMTP id bm21so22393660ejb.4; Wed, 03 Mar 2021 02:42:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ROOsU76GJcJVvrIVwGueslnib1PHuO7eKBuEere6Byk=; b=K0smjPsWPQKELgNeXsGtseRNHPgv7N53AdtvazUfAxNYjv2qE8qpMPr+SYibNVDWP3 7VcHRNDjCFfWP7ThJylizlnOjtXdjxiHLrkoRH63ZBc7VHqmdC65KOGyvXJIAnEi/pLl 9OpTmDUjfSoX0qT4v8bhL1qqDhsp229C6RzpYM8TK8ipW34W31FD5comwZN4oeNMqIoU uQt2fYf/ZUyVjiLTrQfLj4jGHYzQDWQrN7Tmy12Pm3Pb7rYC3h4rQA417H+w3JFfNUKR NY8GgWNHhcQ9/7PLrZqrG6E2kv0sCHpGNSPeQZvzbomq4kWxlt1XbQysrag20GHZYziQ WQDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ROOsU76GJcJVvrIVwGueslnib1PHuO7eKBuEere6Byk=; b=h2HF6sAFqZlchnn2U3d3vEVpVYRvgjIbIodya7hD0nnjayCEa07NkMVBx/b6sx3YHU I9/CX8wzpVqsFZFXTuCYOb9ohYO4BNZWZrm5kNeV3kErc/JDfb7jGXLUJA3prt8cxNTc E984jm5HQcplbOwNxIb5VrsGypXJQAWLDzdx98fn1qwXa+A0YaeoJt1vjOUxV01Ck+Cl mD1PPVquhHQgVlYB2FBwrDkTqJ3mcisqUqzyjgKnfFct64J9HX10l2wNaTY92KWD0ndM eSB1u6AFSjriUGb89R14z8BL600mM5aaptbVE25e//FbsxcscEiN7fF7SK2wrfKNFeLr I/Sg== X-Gm-Message-State: AOAM5312DYjFrE8pbdWEyAIrc4iHl32ytlielWig4TD2wNekHpzsR8ft M/QIe/3KreyANyqRwv3WNtc= X-Google-Smtp-Source: ABdhPJzUTFUac1Ydck7xbf2dKrvsbwzXZ4ZuZcRbhp2HG2DjyW2njOmofekSByI3T8GJ7nhhwBHvrQ== X-Received: by 2002:a17:906:5811:: with SMTP id m17mr8023510ejq.115.1614768120192; Wed, 03 Mar 2021 02:42:00 -0800 (PST) Received: from pek-vx-bsp2.wrs.com (ec2-44-242-66-180.us-west-2.compute.amazonaws.com. [44.242.66.180]) by smtp.gmail.com with ESMTPSA id jx22sm19029811ejc.105.2021.03.03.02.41.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Mar 2021 02:41:59 -0800 (PST) From: Bin Meng To: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [PATCH v3 3/5] hw/sd: sdhci: Correctly set the controller status for ADMA Date: Wed, 3 Mar 2021 18:41:26 +0800 Message-Id: <1614768088-20534-4-git-send-email-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1614768088-20534-1-git-send-email-bmeng.cn@gmail.com> References: <1614768088-20534-1-git-send-email-bmeng.cn@gmail.com> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::634; envelope-from=bmeng.cn@gmail.com; helo=mail-ej1-x634.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bin Meng , qemu-devel@nongnu.org, qemu-block@nongnu.org, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" When an ADMA transfer is started, the codes forget to set the controller status to indicate a transfer is in progress. With this fix, the following 2 reproducers: https://paste.debian.net/plain/1185136 https://paste.debian.net/plain/1185141 cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ -nodefaults -device sdhci-pci,sd-spec-version=3 \ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ -device sd-card,drive=mydrive -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-University Bochum) Reported-by: Muhammad Ramdhan Reported-by: Sergej Schumilo (Ruhr-University Bochum) Reported-by: Simon Wrner (Ruhr-University Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 Signed-off-by: Bin Meng Tested-by: Alexander Bulekov Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Bin Meng --- (no changes since v1) hw/sd/sdhci.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 3feb6c3..7a2003b 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -768,7 +768,9 @@ static void sdhci_do_adma(SDHCIState *s) switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) { case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */ + s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; if (s->trnmod & SDHC_TRNS_READ) { + s->prnsts |= SDHC_DOING_READ; while (length) { if (s->data_count == 0) { sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size); @@ -796,6 +798,7 @@ static void sdhci_do_adma(SDHCIState *s) } } } else { + s->prnsts |= SDHC_DOING_WRITE; while (length) { begin = s->data_count; if ((length + begin) < block_size) { From patchwork Wed Mar 3 10:41:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Bin Meng X-Patchwork-Id: 1446557 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=PAIiI5MS; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Dr9Zs3GFBz9sCD for ; Wed, 3 Mar 2021 21:43:33 +1100 (AEDT) Received: from localhost ([::1]:49596 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lHOyZ-00074a-Dd for incoming@patchwork.ozlabs.org; Wed, 03 Mar 2021 05:43:31 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:41494) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lHOxG-0006FV-4p; Wed, 03 Mar 2021 05:42:10 -0500 Received: from mail-ed1-x535.google.com ([2a00:1450:4864:20::535]:44169) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lHOxE-0001FN-Dl; Wed, 03 Mar 2021 05:42:09 -0500 Received: by mail-ed1-x535.google.com with SMTP id g3so29200916edb.11; Wed, 03 Mar 2021 02:42:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=AjaG7SFUC789NzbgHP098bim6a7g+oWTdKH7hnce4V0=; b=PAIiI5MSsuFvxTjA9h6UsIKjacci8hs1zr5DPHnaZPzc/cThFDmweR+pWKEeYk69ko /DpUzQiN3cGtSHk5Dn8RxBdQ+O3cGbshdagPYbUtjf3KYVnw83pjnQzjoVJgRDAcApi1 wv5DC/jYljasqovZ/JC3FXKEDliHM5jAV2P+00OMdUE00iav7mpK0gvt95Z4Go0rQsOM U1D4DKaOYMUgF6sfLA5EYiix+BzCwRcwDfmbZHFEuFCTZ0awiC65mkJnMPbtODt+XlKp kZUj1LehRCfQb43nqh9MpBvmPLIyYOLNPTl0P6a0UMAlsSlA4Sj2oj17uwnw6G+zljJ/ JnQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=AjaG7SFUC789NzbgHP098bim6a7g+oWTdKH7hnce4V0=; b=FDoGyenllezUzzKAWv9kL44/we5aYuxVYu5XcCjmzl9yytGNjystyCwUJm9BbOLPp5 X7eWFQIYXRRVvV62TIpT/mmqY3uigJlFMMNNkn7S6QXS8nJq1e8FzLIUfJY6N01sIIpS CmS6hE3Nl+rLprgRgVWYl9sg/ZQ9W7zG8s7iVwnRe8jDPLmTHRlZdi7fT8KLCxySG7vm boWTcIMmXHGLerVjhf66VmCftt/r9EENn+GgCuIYViS7SLqk+loBV+WI52xccQpOGMdJ UkgHpGoD1k7OvmE1f6U2PgA1ukxWUczFvsZj/rA4C038P6Bq8u5QfXQOjVP8qTnEYPRI hBqg== X-Gm-Message-State: AOAM532Cr8d8sHVthYe3c/1NtcfPYui6OZZpM2Awee/ztIdm0FcMKhII FHEStHYPPjiI1JItT9sEz7NpSSP7PXU= X-Google-Smtp-Source: ABdhPJyldwIJWyWXGWZ6B1D5c5+aQWs437zuWVyu+10ZbDf9HsSKxf0EKE4CT/Hwp2xwshdHrMTA2g== X-Received: by 2002:aa7:c398:: with SMTP id k24mr5460160edq.61.1614768126238; Wed, 03 Mar 2021 02:42:06 -0800 (PST) Received: from pek-vx-bsp2.wrs.com (ec2-44-242-66-180.us-west-2.compute.amazonaws.com. [44.242.66.180]) by smtp.gmail.com with ESMTPSA id jx22sm19029811ejc.105.2021.03.03.02.42.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Mar 2021 02:42:05 -0800 (PST) From: Bin Meng To: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [PATCH v3 4/5] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE register is writable Date: Wed, 3 Mar 2021 18:41:27 +0800 Message-Id: <1614768088-20534-5-git-send-email-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1614768088-20534-1-git-send-email-bmeng.cn@gmail.com> References: <1614768088-20534-1-git-send-email-bmeng.cn@gmail.com> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::535; envelope-from=bmeng.cn@gmail.com; helo=mail-ed1-x535.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bin Meng , qemu-devel@nongnu.org, qemu-block@nongnu.org, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" The codes to limit the maximum block size is only necessary when SDHC_BLKSIZE register is writable. Signed-off-by: Bin Meng Tested-by: Alexander Bulekov Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Bin Meng --- (no changes since v2) Changes in v2: - new patch: sdhci: Limit block size only when SDHC_BLKSIZE register is writable hw/sd/sdhci.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 7a2003b..d0c8e29 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) if (!TRANSFERRING_DATA(s->prnsts)) { MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); - } - /* Limit block size to the maximum buffer size */ - if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { - qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " - "the maximum buffer 0x%x\n", __func__, s->blksize, - s->buf_maxsz); + /* Limit block size to the maximum buffer size */ + if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " + "the maximum buffer 0x%x\n", __func__, s->blksize, + s->buf_maxsz); - s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); + } } break; From patchwork Wed Mar 3 10:41:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bin Meng X-Patchwork-Id: 1446559 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=B1kPv28Y; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Dr9cD29K9z9sCD for ; Wed, 3 Mar 2021 21:44:44 +1100 (AEDT) Received: from localhost ([::1]:53790 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lHOzi-0000RK-AS for incoming@patchwork.ozlabs.org; Wed, 03 Mar 2021 05:44:42 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:41582) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lHOxU-0006Qy-Og; Wed, 03 Mar 2021 05:42:24 -0500 Received: from mail-ed1-x529.google.com ([2a00:1450:4864:20::529]:45640) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lHOxL-0001IT-Qj; Wed, 03 Mar 2021 05:42:24 -0500 Received: by mail-ed1-x529.google.com with SMTP id dm26so5687008edb.12; Wed, 03 Mar 2021 02:42:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=UMLMbcPvRuScsv3aJbFKZOOHoEcVHNziE1l+xZ4aQhM=; b=B1kPv28YDhxQFA6Sy/CSJ9kfygWrH+sWBxN1trVxKTJIq6D883Zd4841j4eLQYcvX+ 0cOgls3DLcrDCATCqo6gTIaMDe/ZyvG5orQRJLu6P7WtNIMHUJuPfts3yMU3iLokGPgH LEtQxDAl4hLAmSaeL6iYmEWePOenN0LPEUT5Ru6jjdHsboq4dZlVeU7XlopOEqhlcmmg OlwLr3CV4b790DyTRrU+ICUMZgP2AI7Qxr960EI4BmIEBXRH3DN2DT6J937b7epV1ud/ MVqiF2q6HdYZZY50NIMWOGRn0Ni02+2W3nQCz/d34J+8h0VZZ0fw35qxoknSmFRdT/7I /Jdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UMLMbcPvRuScsv3aJbFKZOOHoEcVHNziE1l+xZ4aQhM=; b=f8zUV6QLG9ut7qtnO5q1x6wSC3xh1Xd23ixC7a1wVbdwQ9Yzv9b0mtwSKHoknDWLZb 2/HrAkG9Ri7N55PnwkAgbER+6F1wnjtfg5p5HJ+cV4fUcaAEzlL2mtEaKdwVJKP+TgUK UnVAQ12bVsQDGfpl/pTpJTgtpkwparxzMtJvKbUGv3TvGO9CS/8hl77yh6O1BGzLUAqJ DtyH4Vnavusk0uQCWHgX1kb1w5h6qzQlJk+HFN5nfaNalHxCd8aiooDTpLupPwhVGq+2 NeSIkAowWETtkOByTxGxWbIu6XLFlXafzCwdozW8EwkIJNlrElD+HhPOOOYDNkcQQ5C3 NLCA== X-Gm-Message-State: AOAM5323zhpfmf3nE/7JtuAZXSWn0ocyTdy7xhTkzwXzJVFL+F0gyddp cVhsj94U4Sb4WcxarKpmR8A= X-Google-Smtp-Source: ABdhPJxv3OJDxYVr2RjBcHagFfMcHLepj51MJSqJJifimhTU/Ae1g+04QM1tKS8ohI8oeWnTuoKTFg== X-Received: by 2002:aa7:d686:: with SMTP id d6mr14167895edr.146.1614768132379; Wed, 03 Mar 2021 02:42:12 -0800 (PST) Received: from pek-vx-bsp2.wrs.com (ec2-44-242-66-180.us-west-2.compute.amazonaws.com. [44.242.66.180]) by smtp.gmail.com with ESMTPSA id jx22sm19029811ejc.105.2021.03.03.02.42.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Mar 2021 02:42:11 -0800 (PST) From: Bin Meng To: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Mauro Matteo Cascella , Li Qiang , Alexander Bulekov , Alistair Francis , Prasad J Pandit , Bandan Das Subject: [PATCH v3 5/5] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed Date: Wed, 3 Mar 2021 18:41:28 +0800 Message-Id: <1614768088-20534-6-git-send-email-bmeng.cn@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1614768088-20534-1-git-send-email-bmeng.cn@gmail.com> References: <1614768088-20534-1-git-send-email-bmeng.cn@gmail.com> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::529; envelope-from=bmeng.cn@gmail.com; helo=mail-ed1-x529.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bin Meng , qemu-devel@nongnu.org, qemu-block@nongnu.org, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" If the block size is programmed to a different value from the previous one, reset the data pointer of s->fifo_buffer[] so that s->fifo_buffer[] can be filled in using the new block size in the next transfer. With this fix, the following reproducer: outl 0xcf8 0x80001010 outl 0xcfc 0xe0000000 outl 0xcf8 0x80001001 outl 0xcfc 0x06000000 write 0xe000002c 0x1 0x05 write 0xe0000005 0x1 0x02 write 0xe0000007 0x1 0x01 write 0xe0000028 0x1 0x10 write 0x0 0x1 0x23 write 0x2 0x1 0x08 write 0xe000000c 0x1 0x01 write 0xe000000e 0x1 0x20 write 0xe000000f 0x1 0x00 write 0xe000000c 0x1 0x32 write 0xe0000004 0x2 0x0200 write 0xe0000028 0x1 0x00 write 0xe0000003 0x1 0x40 cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ -nodefaults -device sdhci-pci,sd-spec-version=3 \ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ -device sd-card,drive=mydrive -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-University Bochum) Reported-by: Muhammad Ramdhan Reported-by: Sergej Schumilo (Ruhr-University Bochum) Reported-by: Simon Wrner (Ruhr-University Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 Signed-off-by: Bin Meng Tested-by: Alexander Bulekov Signed-off-by: Bin Meng --- (no changes since v2) Changes in v2: - new patch: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed hw/sd/sdhci.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index d0c8e29..5b86781 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) break; case SDHC_BLKSIZE: if (!TRANSFERRING_DATA(s->prnsts)) { + uint16_t blksize = s->blksize; + MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); @@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); } + + /* + * If the block size is programmed to a different value from + * the previous one, reset the data pointer of s->fifo_buffer[] + * so that s->fifo_buffer[] can be filled in using the new block + * size in the next transfer. + */ + if (blksize != s->blksize) { + s->data_count = 0; + } } break;